Service Provider administrators are Identity Manager users that are assigned capabilities and can control organizations. These administrators can be created and maintained in the same way as Identity Manager administrators.
Several different levels of administrators might be needed in your environment to perform various tasks, such as the following:
The lowest level of administrator might be permitted to create and edit end user (customer) accounts only. There might be thousands administrators with these capabilities.
Another level of administrator might be permitted to create, edit, and delete low-level administrators as well as customer accounts. There might be hundreds of such administrators.
A set of administrators to manage the LDAP directory and other resources. There might be several dozen of this type of administrator.
A few high-level administrators that have super user abilities.
The last two categories of administrators would likely be created and maintained manually in the Administrator Interface. However, to create the lower-level administrators, perform the following tasks:
Review the object classes and attributes present in your LDAP directory and determine which of these items contain data that indicates the user should have administrative powers. For example, you might have an attribute that indicates a user is a retailer or manager. A retailer would have the ability to create accounts. A manager might be permitted to create retailer accounts.
Add the attributes to the schema map of the LDAP resource.
Determine how you will limit the scope of each administrator. For example, a retailer based in Texas probably should not be allowed to create accounts for users who live in New York. Similarly, a manager should not be allowed to delete accounts outside her realm.
Create organizations in Identity Manager that correspond to the scopes defined in the previous step.
Create a user form that creates an Identity Manager account, assigns capabilities as well as an organization for each administrator. The user form must use the attributes defined in Organization-Based Authorization.
Use reconciliation or other data loading mechanism to load the administrator accounts into Identity Manager.